Attorney Docket No.: FOUND-0058 (434103-049) 



Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the application: 

1 . (Currently Amended) A layer 2 network access device for providing network security, 
comprising: 

a plurality of input ports; 

a switching fabric in the layer 2 network access device for routing data received on the 
plurality of input ports to at least one output port; and 

control logic in the layer 2 network access device adapted to authenticate a physical address 
of a user device coupled to one of the plurality of input ports, to authenticate user 
information provided by a user of the user device only if the physical address is valid, 
and to restrict access to the one of the plurality of input ports in accordance with a user 
policy associated with the user information only if the user information is valid. 

2. (Previously Presented) The network access device of claim 1, wherein the physical address 
comprises a Media Access Control (MAC) address. 

3. (Previously Presented) The network access device of claim 1, wherein the control logic is 
adapted to authenticate the user information in accordance with an IEEE 802. lx protocol. 

4. (Previously Presented) The network access device of claim 1, wherein the user policy 
identifies an access control list. 
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5. (Previously Presented) The network access device of claim 1, wherein the user policy 
includes an access control list. 

6. (Previously Presented) The network access device of claim I, wherein the user policy 
identifies a Media Access Control (MAC) address filter. 

7. (Previously Presented) The network access device of claim 1 , wherein the user policy 
includes a Media Access Control (MAC) address filter. 

8. (Previously Presented) The network access device of claim 1, wherein the control logic is 
adapted to send the user information to an authentication server and to receive an accept 
message from the authentication server if the user information is valid. 

9. (Previously Presented) The network access device of claim 8, wherein the authentication 
server comprises a Remote Authentication Dial-In User Service (RADIUS) server. 

10. (Previously Presented) The network access device of claim 8, wherein the accept message 
includes the user policy. 

1 1 . (Currently Amended) The network access device of claim 1 , wherein the control logic is 
further adapted to assign the one of the plurality of input ports to a virtual local area network 
(VLAN) (ULAN) associated with the user information if the user information is valid. 
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12. (Currently Amended) The network access device of claim 11, wherein the control logic is 
adapted to receive a message from an authentication server, wherein the message comprises 
a VLAN identifier (ID) associated with the user information, and to assign the one of the 
plurality of input ports to a VLAN ULAN associated with the VLAN ID. 

13. (Currently Amended) A method for providing network security, comprising: 
authenticating in a layer 2 network access device a physical address of a user device coupled 

to a port of the network access device; 
authenticating user information provided by a user of the user device to the network access 

device only if the physical address is valid; and 
restricting access to the port in accordance with a user policy associated with the user 

information only if the user information is valid. 

14. (Previously Presented) The method of claim 13, wherein the authenticating a physical 
address comprises authenticating a Media Access Control (MAC) address. 

15. (Previously Presented) The method of claim 13, wherein the authenticating the user 
information comprises authenticating the user information in accordance with an IEEE 
802. lx protocol. 

16. (Previously Presented) The method of claim 13, wherein the restricting access comprises 
restricting access to the one of the plurality of input ports in accordance with an access 
control list. 
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17. (Previously Presented) The method of claim 13, wherein the restricting access comprises 
restricting access to the one of the plurality of input ports in accordance with a Media 
Access Control (MAC) address filter. 

18. (Previously Presented) The method of claim 13, wherein the authenticating the user 
information comprises: 

sending the user information to an authentication server; and receiving an accept message 
from the authentication server if the user information is valid. 

19. (Previously Presented) The method of claim 18, wherein the authentication server 
comprises a Remote Authentication Dial-In User Service (RADIUS) server. 

20. (Previously Presented) The method of claim 18, wherein the receiving an accept message 
comprises receiving an accept message that includes the user policy. 

21. (Previously Presented) The method of claim 13, further comprising: 
assigning the port to a virtual local area network (VLAN) associated with the user 

information only if the user information is valid. 

22. (Previously Presented) The method of claim 21, wherein the assigning the port to a VLAN 
comprises: 
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receiving a message from an authentication server, wherein the message comprises a VLAN 

identifier (ID) associated with the user information; and 
assigning the port to a VLAN associated with the VLAN ID. 

23. (Currently Amended) A network system, comprising: a data communications network; 
a layer 2 network access device coupled to the data communications network; and 

a user device coupled to a port of the network access device; 

wherein the network access device is adapted to authenticate a physical address of the user 
device, to authenticate user information provided by a user of the user device only if the 
physical address is valid, and to restrict access to the port in accordance with a user 
policy associated with the user information only if the user information is valid. 

24. (Previously Presented) The system of claim 23, wherein the physical address comprises a 
Media Access Control (MAC) address. 

25. (Previously Presented) The system of claim 23, wherein the network access device is 
adapted to authenticate the user information in accordance with an IEEE 802. lx protocol. 

26. (Previously Presented) The system of claim 23, wherein the user policy identifies an access 
control list. 

27. (Previously Presented) The system of claim 23, wherein the user policy includes an access 
control list. 
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28. (Previously Presented) The system of claim 23, wherein the user policy identifies a Media 
Access Control (MAC) address filter. 

29. (Previously Presented) The system of claim 23, wherein the user policy includes a Media 
Access Control (MAC) address filter. 

30. (Previously Presented) The system of claim 23, further comprising: 
an authentication server coupled to the data communications network; 
wherein the network access device is adapted to send the user information to the 

authentication server and to receive an accept message from the authentication server if 
the user information is valid. 

3 1 . (Previously Presented) The system of claim 30, wherein the authentication server comprises 
a Remote Authentication Dial-In User Service (RADIUS) server. 

32. (Previously Presented) The system of claim 30, wherein the accept message includes the 
user policy. 

33. (Previously Presented) The system of claim 23, wherein the network access device is 
further adapted to assign the port to a virtual local area network (VLAN) associated with the 
user information if the user information is valid. 
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34. (Previously Presented) The system of claim 33, further comprising: 
an authentication server coupled to the data communications network; 

wherein the network access device is adapted to receive a message from the authentication 
server, wherein the message comprises a VLAN identifier (ID) associated with the user 
information, and to assign the port to a VLAN associated with the VLAN ID if the user 
information is valid. 

35. (Previously Presented) The network access device of claim 2 wherein the control logic is 
further configured to: 

if authentication of the MAC address indicates the MAC address is invalid, 
drop packets from the user device; or 
disable the port; 

if authentication of the user information indicates the user information is invalid, block all 
traffic on the port except for packets related to a user authentication protocol; 

if authentication of user information indicates the user information is valid, determine 
whether the user is associated with a VLAN supported by the network access device; 

if the user is not associated with the VLAN, 

assign the port to a port default VLAN; and 

block all traffic on the port except for packets related to the user authentication 
protocol; and 
if the user is associated with the VLAN, 

assign the port to the VLAN associated with the user; and 
forward packets from the user device. 
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36. (Previously Presented) The method of claim 14, further comprising: 

if the authenticating of the MAC address indicates the MAC address is invalid, 
dropping packets from the user device; or 
disabling the port; 

if the authenticating user information indicates the user information is invalid, blocking all 
traffic on the port except for packets related to a user authentication protocol; 

if the authenticating user information indicates the user information is valid, determining 
whether the user is associated with a VLAN supported by the network access device; 

if the determining indicates the user is not associated with the VLAN, 
assigning the port to a port default VLAN; and 

blocking all traffic on the port except for packets related to the user authentication 
protocol; and 

if the determining indicates the user is associated with the VLAN, 
assigning the port to the VLAN associated with the user; and 
forwarding packets from the user device. 



37. (Previously Presented) The network system of claim 24 wherein the network access device 
is further adapted to: 

if authentication of the MAC address indicates the MAC address is invalid, 
dropping packets from the user device; or 
disabling the port; 
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if authentication of the user information indicates the user information is invalid, block all 
traffic on the port except for packets related to a user authentication protocol; 

if authentication of user information indicates the user information is valid, determine 
whether the user is associated with a VLAN supported by the network access device; 

if the user is not associated with the VLAN, 

assign the port to a port default VLAN; and 

block all traffic on the port except for packets related to the user authentication 
protocol; and 
if the user is associated with the VLAN, 

assign the port to the VLAN associated with the user; and 
forward packets from the user device. 

38. (Currently Amended) An apparatus for providing n e twork s e curity, comprising: 
a plurality of input ports; 

a switching fabric for routing data received on the plurality of input ports to at least one 

output port; and 
control logic adapted to: 

authenticate a physical address of a user device coupled to one of the plurality of input 
ports; 

drop packets from the user device if the physical address is invalid; 
authenticate user information provided by a user of the user device only if the physical 
address is valid; 
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if authentication of the user information indicates the user information is invalid, block 
all traffic on the one of the plurality of input ports except for packets related to a 
user authentication protocol; 
if authentication of user information indicates the user information is valid, determine 
whether the user is associated with a VLAN supported by the apparatus by 
receiving a message from an authentication server, wherein the message comprises 
a VLAN identifier (ID) associated with the user information; 
if the user is not associated with the VLAN, 

assign the one of the plurality of input ports to a port default VLAN; and 
block all traffic on the one of the plurality of input ports except for packets related to 
the user authentication protocol; and 
if the user is associated with the VLAN, 

assign the one of the plurality of ports to the VLAN associated with the user; and 
restrict access to the one of the plurality of input ports in accordance with a user 
policy associated with the user information. 



39. (Previously Presented) The apparatus of claim 38, wherein the apparatus comprises a layer 
2 network access device. 



40. (Previously Presented) A method for providing network security, comprising: 

authenticating a physical address of a user device coupled to a port of a network access 
device; 

dropping packets from the user device if the physical address is invalid; 
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authenticating user information provided by a user of the user device only if the physical 
address is valid; 

if the authenticating of the user information indicates the user information is invalid, 
blocking all traffic on the port except for packets related to a user authentication 
protocol; 

if the authenticating of the user information indicates the user information is valid, 

determining whether the user is associated with a VLAN supported by the network 
access device by receiving a message from an authentication server, wherein the 
message comprises a VLAN identifier (ID) associated with the user information; 
if the user is not associated with the VLAN, 

assigning the one of the plurality of input ports to a port default VLAN; and 
blocking all traffic on the one of the plurality of input ports except for packets related 
to the user authentication protocol; and 
if the user is associated with the VLAN, 

assigning the one of the plurality of ports to the VLAN associated with the user; and 
restricting access to the one of the plurality of input ports in accordance with a user 
policy associated with the user information. 

41 . (Previously Presented) The method of claim 40, wherein the network switch comprises a 
layer 2 network access device. 

42. (Previously Presented) A network system, comprising: 
a data communications network; 
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a network access device coupled to the data communications network; and 
a user device coupled to a port of the network switch, wherein the network access device is 
adapted to: 

authenticate a physical address of a user device coupled to one of the plurality of input 
ports; 

drop packets from the user device if the physical address is invalid; 
authenticate user information provided by a user of the device only if the physical address 
is valid; 

if authentication of the user information indicates the user information is invalid, block 
all traffic on the one of the plurality of input ports except for packets related to a user 
authentication protocol; 
if authentication of user information indicates the user information is valid, determine 
whether the user is associated with a VLAN supported by the network access device 
by receiving a message from an authentication server, wherein the message 
comprises a VLAN identifier (ID) associated with the user information; 
if the user is not associated with the VLAN, 

assign the one of the plurality of input ports to a port default VLAN; and 
block all traffic on the one of the plurality of input ports except for packets related to 
the user authentication protocol; and 
if the user is associated with the VLAN, 

assign the one of the plurality of ports to the VLAN associated with the user; and 
restrict access to the one of the plurality of input ports in accordance with a user policy 
associated with the user information. 



Page 13 of 26 



Attorney Docket No.: FOUND-0058 (434103-049) 



43. (Previously Presented) The network system of claim 42, wherein the network access device 
comprises a layer 2 network access device. 

44. (Previously Presented) The device of Claim 1 wherein the user information comprises a 
user name and a password. 

45. (Previously Presented) The method of Claim 13 wherein the user information comprises a 
user name and a password. 

46. (Previously Presented) The system of Claim 23 wherein the user information comprises a 
user name and a password. 
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